Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia

We discovered a new campaign targeting organizations in Turkey, Pakistan and Tajikistan that has some similarities with an earlier campaign named MuddyWater, which hit various industries in several countries, primarily in the Middle East and Central Asia. Third party security researchers named the MuddyWater campaign as such because of the difficulties in attributing the attacks. However, given the nature of the targets, as well as the gathering and uploading of information to C&C servers, it appears that the attackers are mainly concerned with espionage activities — with the Saudi Arabia’s National Cyber Security Center (NCSC) publishing an alert on their website regarding the attacks.

Given the number of similarities, we can assume that there is a connection between these new attacks and the MuddyWater campaign. It also signifies that the attackers are not merely interested in a one-off campaign, but will likely continue to perform cyberespionage activities against the targeted countries and industries.

In addition to the common characteristics seen above, the campaigns also use similar obfuscation processes, as are the internal variables after deobfuscation. A list of isDebugEnv is also present in both campaigns.

Infection Chain

Figure 1. Infection chain for the attack

Our research found malicious delivery documents (Detected by Trend Micro as JS_VALYRIA.DOCT and W2KM_VALYRIA.DOCT) containing text and file names in the Tajik language attempting to target individuals working for government organizations and telecommunication companies in Tajikistan. Each document uses social engineering to trick potential victims into clicking it to enable the macros and activate the payload. While some of the payloads we observed were embedded inside the document itself, some of the payloads were also downloaded from the internet after the lure was clicked.There is a separate lure with a program key generator written in Java that was bundled with a Java downloader. However, the actual payload is the same.

Some examples of the lure documents used in the campaign can be seen below:

Figure 2. A sample document used in the campaign. Note that it uses the Tajikistan emblem, signifying that this is likely used to target government organizations or make it seem that it came from one

Figure 3. A second lure document that we found being used in the campaign designed to look like a document sent to telecommunication companies regarding dissatisfaction with their service; it also asks them to fill out a form, which can be seen in the table at the bottom

Figure 4. Another example of a header allegedly from the Ministry of Internal Affairs of Tajikistan

After enabling the macros and the payload executes, two files – an obfuscated Visual Basic script (Detected by Trend Micro as VBS_VALYRIA.DOCT), and an obfuscated PowerShell script (Detected by Trend Mico as TROJ_VALYRIA.PS) — are created in the ProgramData directory placed in randomly-named directories. The purpose of the .VBS script is to execute the PowerShell script. The path to the VBS script is added to the task scheduler as a form of persistence.

Figure 5. The installed backdoor and persistence script

In other campaigns, two files are also dropped. One of them is the VBS script, however, the second file is a base64 encoded text file, which, after decoding, results in the Powershell file, as in the previous campaign. This is one simple layer of obfuscation, likely to avoid some antivirus detections.

The latest change, drops three files – an.sct scriptlet file, an.inf file and a base64 encoded data file. The scriptlet file and inf file use publicly available code for bypassing applockerCode examples are also available on github.

The PowerShell script, which employs several layers of obfuscation, is divided into three parts.

Part one contains global variables like paths, encryption keys, a list of a few hundred gates or hacked websites which serve as proxies:

Figure 6. The configuration portion of the PowerShell script

The second part contains functions related to the encryption, which is a standard RSA encryption with very small keys.

The third part contains the backdoor function. This function will first collect machine information and take screenshots before it sends this data to a command-and-control (C&C) server while waiting for commands. These include the following actions: clean, reboot, shutdown, screenshot, and upload.

The clean command attempts to recursively delete all the items from drives C, D, E, and F.

Figure 7. The clean command wipes drives C, D, E and F

C&C Communication

The communication is done via XML messages with the following supported ACTION commands:

REGISTER

IMAGE

COMMAND RESULT

UPLOAD

The backdoor first finds out the machine IP address by querying the internet service api[.]ipify[.]org, which returns the IP address of the currently infected machine. This IP address is then fed to another internet service called apinotes[.]com, which returns the location information of the given IP address.

The backdoor then collects the system information about the infected machine such as the Operating System name, architecture, domain, network adapter configuration, and username. It then separates each piece of information with **, and sends this system info as part of the REGISTER message:

Figure 8. The register message before encryption

A simple RSA algorithm with very small keys encrypts the message seen above. Let’s take the first character as an example. Character “{” = 0x7B =123. Variable ${prIVATE} = 959, 713 from section 1 of the PowerShell script has two values; the first number is the key and the second number is the modulus. By computing (123 ^ 959) mod 713 = 340 we get the encrypted value of the first character (see number 340 in the figure below). The message above gets encrypted as shown in figure 9 below, then its contents are sent via post request to one of many hacked gates.

Figure 9. The register message after encryption

The response to this message is another set of decimal numbers which can be decrypted by the public key, which is stored in ${pUbLIC} = 37, 437 variable in part 1 of the PowerShell script.

Figure 10. The encrypted response to the register message

The message above can be decrypted to:

{“STATUS”: “OK”, “TOKEN”: “d02153ffaf8137b1fa3bb852a27a12f8”}

The XML message containing screenshot can be seen below. Note that the previously obtained SYSID that serves as a machine identifier, ACTION:”IMAGE” tells us that a base64 encoded image will be followed in IMAGE field.

Figure 11. The XML message with the screenshot

It seems that the attackers are actively monitoring the incoming connections to the C&C. In one of our attempts, we sent an improper request to the C&C server, which replied with the following message: “Stop!!! I Kill You Researcher.” This level of personalized messaging implies that the attackers are monitoring what data is going to and from their C&C server.

Figure 12. When the threat actor discovers the researcher via an improper request

Another hidden message or a false flag?

For the PowerShell script, the first part contains a variable named dragon_middle, which is an array containing a few hundred URLs ending with connection.php that serve as proxies between victim and C&C. If communication with C&C fails, and if the PowerShell script is run from a command line, a few error messages written in simplified Mandarin Chinese are displayed, with a curious phrase that translates to “waiting for dragon”:

无法访问本地计算机寄存器 (Unable to access local computer register)

任务计划程序访问被拒绝 (Mission Scheduler access is denied)

无法连接到网址，请等待龙 (Cannot connect to URL, please wait for dragon)

无法连接到网址，请等待龙 (Cannot connect to website, please wait for dragon)

These messages may not reveal anything about the real attackers as the malware writers sometimes like to embed false flags into their programs to confuse researchers. The syntax and grammar suggest that the language could have been machine-translated rather than written by a native speaker.

Countermeasures and Trend Micro Solutions

Users unfamiliar with the various kinds of social engineering techniques might find it difficult to distinguish a legitimate message from a malicious one – thus the need for education on identifying and mitigating phishing attacks – especially if it involves organizations in sensitive industries such as government and manufacturing. Context, in this case, is important. Users need to consider why they received an email and avoid clicking on any links or attachments in general until they are certain that they are legitimate.

Trend MicroDeep Discovery provides detection, in-depth analysis, and proactive response to today’s stealthy malware, and targeted attacks in real time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats even without any engine or pattern update.

These solutions are powered by the Trend Micro XGen security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads.

About site

This is experimental project, which search automatically antivirus, security, malware, etc. news and alerts. If you want add/delete source or post, let us know. We will add/delete it. We'd like make place, where you can find security information from various sources with correct backlink back to source.